Has anyone successfully restricted Visual Studio Team Services access by IP address? The following blog post says it is possible by connecting the VS Team Services with Azure AD.
https://blogs.technet.microsoft.com/ad/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/
After signing up will see the Visual Studio Team Services application on the application tab of the Azure AD portal. You can then go to the application's configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)
I have connected Team Services with Azure AD, but when I go in the Azure AD portal, click on applications under my domain and then click on "Visual Studio Online" all I get is a "Dashboard" with usage graphs. There is no "Configure" tab as the blog post says there should be. I have backed my Team Services account with TFS. Any ideas?
Thanks.
Think I found the issue. In the below link it says:
These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/
Since I'm not subscribed to Azure AD Premium that is most likely why I don't get the configuration tab and the option to restrict access by IP address. Some what annoying that you would have to pay for Azure AD Premium access to get such a standard feature when already paying for VS Team Services.
You can do this in the AD: azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work:
Blocking external access
In other cases only users on the corporate network may be allowed to
access a SaaS application. This rule can help prevent data leakage and
in some cases can help you meet regulatory requirements.
When an app is on-premises you would have easily been able enforce
this policy at your network boundary. With the app in the cloud this
becomes more challenging.
We've helped address by adding the block access when not at work rule.
This rule can be applied to any of your Azure AD applications that
support conditional access.
The page below shows the option on the same Twitter configure tab as
above.
When you choose this option only users coming from an IP address that
falls within an IP range you have identified will be allowed access to
the application.
Related
I wanted to see if someone could help me with my capstone project. I selected access control and authentication. I need to help a company having issues with employees being able to open vital documents on the company network. I'm using Microsoft Azure to try and fix the problem. I'm trying to outline what I need to do to create a better access control system using a virtual machine in a Windows environment (1 X domain controller, 1 x clients, 4 users) to deliver a solution. I want to look at implementing DAC, RBAC, MAC, or a combination to help protect the essential information. Can anyone please break down a step-by-step process of what I should do? I need the virtual network and set up a topology. I was thinking about the hub-to-spoke topology, but it can change if something is better to use. In 2018, I last worked with Azure and access control, and I feel that I'm jumping around and missing some areas.
• I would suggest you to first create a set of virtual networks based on your different office locations or the assigned location of your employees. The address spaces used for these virtual networks should also be different and not overlap to avoid policy and access applications to the other networks. Once done, then configure the virtual machines for the concerned employees accordingly and the connectivity solution for them also, i.e., through RDP or Bastion host as such.
• Then, ensure that the user IDs are created according to the employee’s requirement for access to the Azure resources deployed, i.e., the resources may be Azure file share, blob storage, any Web app created or any certificate, secret in the key vault. Then provide access to the concerned user to that Azure resource through RBAC (Access control IAM) by providing the concerned user required access by assigning them roles according to the level of access required for that resource.
• Also, ensure that you have assigned an Azure role assignment to every user though alike if they are using resources on Azure. In this case, you can create a custom role with the required permissions, actions, and data actions necessary for that Azure role. While doing this, you will also be enrolling your users for Office 365 services to have appropriate access to online office software and mailbox. During which, you will need to opt for Azure Information Protection license such that the documents, mails, etc. are protected even after they leave the organization’s domain, i.e., client systems. Also, you would need Azure AD Premium P2 and Enterprise Mobility + Security (EMS) E5 licenses.
Thus, in this way, you can set up your organization’s infrastructure in Azure with secure and proper access. Please find below links for more information regarding the specific feature configuration: -
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first
The above link describes the use and configuration of Access packages in Azure and how you can use them to create a workflow for approval and requests for assigning the required resources for a particular project in Azure. Similarly, regarding the implementation of Azure Information Protection, kindly refer to the documentation link below for configuration and more details: -
https://learn.microsoft.com/en-in/previous-versions/azure/information-protection/infoprotect-quick-start-tutorial
https://learn.microsoft.com/en-us/azure/information-protection/faqs
Disclaimer: Some messages/menus are translated from Dutch and might not match literally.
So, in my search for enabling Account settings sync in Windows, i ended up in Azure, but there I stranded.
My goal is to enable Account settings sync in Windows (found under Start->Settings->Accounts->Sync your settings) This is now grayed out with a red message at the top "Synchronization is not available for your account. Please contact your system administrator to resolve this."
Apparently this has something to do with my Office 365 account being listed under the Start->Settings->Accounts->Access to work or school as "Connected to Azure AD from [company name]"
When i try to disconnect my PC from this organisation network it says "This PC is not added to a domain"
So searching on it lead me to the Azure AD portal when i should enable the "User may sync settings and app data" found under Azure Active Directory->Devices->Device Settings. However, this setting is missing from my portal. Comparing with screenshots found on the internet it seems to be the only setting on that page that is missing.
That lead me to enable Enterprise State Roaming found under Azure Active Directory->Devices->Enterprise State Roaming, but this is missing completely from the navigation menu.
Am i missing something in any of the steps?
I've read some people are trialing an Azure subscription, but i'm not. I only have an Office 365 Business
subscription.
Look like your system is not in the Domain. You can put the your system in Domain as below --
Go to PC>>Properties>>Change Setting>>Change(under Computer Name)>>Put the Domain Name(under Member Of)>>OK
After that you should add system to Azure AD as below path -
Start->Settings->Accounts->Access to work or school as "Connected to Azure AD from [company name] .
and should able to login through Azure AD authentication.
Yeah, if you're connected to the domain it's at the behest of the domain settings whether or not you can synch and there's not much a user can do about that, and if you disconnect from the domain just to get away from the domain settings to enable it you're not going to have access to the domain.
If you want to synch AND be a part of the domain you have to contact the domain admin.
What is the difference between these two portals and why? And when should I use which of them?
For example:
When I want to configure if/which Java version I want to use in a WebApp, in the "manage"-portal I only can choose between off and v1.7.0_51. In the "portal"-portal I can choose between off, v7 and v8.
Or, if I want to create a new Ubuntu-VM, in the "manage"-portal I can choose between v12.04, v14.04 and v15.04. In the "portal"-portal there is only v14.04.
As commented by Mike, manage.windowsazure.com is the current production Azure Portal while portal.azure.com is the preview portal which will eventually replace the production portal.
From an underlying technology perspective, there's one big difference between the production and preview portal. Production portal makes use of Azure Service Management API while the Preview portal makes use of Azure Resource Manager (ARM). Along with ARM API, you get Role-based access control (RBAC) that enables you to grant granular permissions on your Azure resources to your team members. In the production portal, there's only a concept of Subscription Administrator and Subscription Co-Administrator.
Not all services in Azure has been ported to make use of ARM API as of today and that's why you see only few services in the preview portal. Services that make use of ARM API (all the new services) will only show up the preview portal.
As to when to use what portal, just see the Azure services you need to manage. Based on how they can be managed, you will choose between production and preview portal. Also please note that functionality for a service may differ between portals even though it is present in both portals. That may be another criteria between choosing the portal.
More information Can be find from microsoft site
Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources
I have a MS company account using Office 365 (so myname#mydomain.com is my account), and I use Office, Azure, and Visual Studio Team Services.
However, I cannot find anywhere how to enable 2FA for this account. I can set up 2FA for my normal, personal, windows live Id using this page:
http://windows.microsoft.com/en-US/windows/two-step-verification-faq.
But that doesnt work for company accounts.
Anyone knows if this is possible? thanks!
What you need is Multi-Factor Authentication for Azure Active Directory. It is part of AAD Premium features.
You can read how to enable and configure it here. And more info on it here.
UPDATE
As per documentation:
Multi-Factor Authentication is now included with Premium and can help
you to secure access to on-premises applications (VPN, RADIUS, etc.),
As well as per this documentation:
Azure Multi Factor Authentication is included in Azure Active
Directory Premium and as a result it is also included with the
Enterprise Mobility Suite
Note: MFA is (at least was) possible with the free AAD but only for the Global Admins in the directory, or for Subscription Administrators within an Azure Subscription.
We are spinning up a development against Microsoft Azure and will be making use of Visual Studio Online in conjunction with Microsoft Azure capabilities (PaaS, and IaaS). The majority of our developers will have MSDN subscriptions.
To get started I have set up the Azure Portal with what is being called a "Microsoft Account" (definition based on the FAQ below). I did this in order to establish a POC and demonstration but now I am wondering if this account needs to be an "Organizational Account." My company does use Office365/Outlook so I think it is possible to establish "Organizational Accounts" but I have not been able to determine with our Operations resources what would be necessary.
The question then is should I be using strictly Organizational Accounts for all Azure and Visual Studio Online accounts? If an account has already been set up as a Microsoft account can it be transitioned to an Organizational account? Are there any implications to be aware of?
One of the problems I am currently experiencing is that I cannot be logged into Outlook and Azure at the same time (assume Chrome for this example) unless I use Incognito mode for one of the sites. I am using the same email account for both but for Outlook it is being treated as an organizational account but for Azure it is a Microsoft account.
http://msdn.microsoft.com/en-us/library/dn531048.aspx
I would suggest using Org Accounts only once you have your domain synced to WAAD. This is what we have concluded is the best way to move forward and now are waiting on the Infrastructure gods to approve syncing our AD with WAAD. ...be prepared for resistance in this area.
The link to the FAQ says to contact MS to transition MS to Org account.
We have found this to be a very messy area with little direction from Microsoft to be found. We are not yet adopting VSO until we can use Org\WAAD accounts. They say new VSO accounts now support Org\WAAD accounts but if you have already created a VSO account you currently cannot switch over to Org\WAAD.